0 / 10 flipped
On-Path Attack
Tap to reveal
An attack where the attacker positions themselves between two communicating devices, intercepting and optionally modifying all traffic. Both victims believe they are communicating directly with each other; neither is aware of the attacker's presence. Enables credential theft, session hijacking, data modification, and content injection. Formerly called man-in-the-middle (MITM). Requires the attacker to have a position on the network path between the two victims.
ARP (Address Resolution Protocol)
Tap to reveal
A Layer 2 protocol that maps IP addresses to MAC addresses within a local subnet. When a device knows an IP address but not the corresponding MAC, it broadcasts an ARP request; the device with that IP responds with its MAC. The result is cached in the ARP table. ARP has no authentication β any device can send ARP replies claiming any IP address; receiving devices accept these claims without verification. This design limitation is what ARP poisoning attacks exploit.
ARP Cache
Tap to reveal
A temporary table on each networked device mapping IP addresses to MAC addresses learned via ARP. When a device needs to communicate with an IP on the same subnet, it checks the cache first to avoid broadcasting. ARP cache entries expire and are refreshed by new ARP traffic. Because the cache accepts unsolicited ARP updates without authentication, it is the direct target of ARP poisoning β the attacker overwrites the cache entry for the gateway's IP with their own MAC address, redirecting all traffic to themselves.
ARP Poisoning
Tap to reveal
An on-path attack technique that corrupts ARP caches with forged, unsolicited ARP replies. The attacker sends gratuitous ARP frames claiming to be the gateway (or another target) and overwrites the victim's cached MAC with the attacker's own MAC. By poisoning both ends simultaneously, all traffic between them flows through the attacker. Operates only within a single subnet β ARP frames don't cross router boundaries. Mitigated by Dynamic ARP Inspection (DAI) on managed switches and network segmentation.
Gratuitous ARP
Tap to reveal
An unsolicited ARP reply sent without a preceding ARP request. Legitimate use: a device announces its presence or IP change to update neighboring caches. Attack use: attacker sends gratuitous ARPs claiming a false IP-to-MAC mapping to poison other devices' caches. Because ARP caches accept these unsolicited updates without authentication, repeated gratuitous ARPs are the primary mechanism of ARP poisoning attacks. Wireshark shows gratuitous ARPs as ARP replies with no matching prior request.
On-Path Browser Attack
Tap to reveal
An on-path attack where malware on the victim's own device intercepts browser communications before encryption is applied and after decryption β bypassing HTTPS entirely. Unlike network-layer on-path attacks, this operates locally inside the device. The malware typically waits for banking logins, captures session tokens, and initiates unauthorized background transactions while the victim interacts normally. Network monitoring cannot detect it; everything at the network layer is legitimate HTTPS. Formerly called man-in-the-browser (MITB).
Why HTTPS Doesn't Stop Browser Attacks
Tap to reveal
HTTPS encrypts data between the browser's TLS layer and the server. An on-path browser attack sits above the TLS layer β inside the browser application itself. Outbound: the malware intercepts data before TLS encrypts it. Inbound: TLS decrypts the server's response, then the malware intercepts the plaintext before the browser renders it. The encrypted HTTPS tunnel is intact and legitimate β the attack is entirely local. The padlock icon indicates a valid encrypted connection to the server; it provides no guarantee about what's happening inside the browser's own process.
Dynamic ARP Inspection (DAI)
Tap to reveal
A switch-level security feature that validates ARP packets against a trusted binding table (built from DHCP snooping). Any ARP reply claiming an IP-to-MAC mapping that contradicts the binding table is dropped at the switch before it reaches other devices. Directly prevents ARP poisoning β the attacker's gratuitous ARP replies are silently discarded, and victim ARP caches are never corrupted. Requires managed switches that support DAI and proper DHCP snooping configuration. Enterprise-standard ARP poisoning defense.
SSL Stripping
Tap to reveal
An on-path attack where the attacker downgrades a client's HTTPS connection to HTTP. The attacker intercepts the client's initial HTTP request to a site, establishes HTTPS with the server, and serves the client an HTTP version. Client sends data in plaintext to the attacker; attacker forwards it encrypted to the server. The client never sees the HTTPS padlock and their data is exposed in transit. Mitigated by HTTP Strict Transport Security (HSTS), which instructs browsers to always use HTTPS for a domain regardless of what the server sends.
Network Segmentation vs. ARP Poisoning
Tap to reveal
ARP poisoning requires the attacker to be on the same Layer 2 network segment as both victims β ARP frames cannot cross router or VLAN boundaries. Network segmentation exploits this constraint: by separating workstations from servers, sensitive systems from general users, or guests from internal networks into different VLANs or subnets, an attacker on one segment cannot perform ARP poisoning against devices on another. A flat network (everything on one subnet) maximizes the attack surface; a properly segmented network limits each attacker to their own segment.